We forgot to tell you we were tapping your metadata

The Abbott government has reached the stage where it can’t take a trick, even with things that ought to be surefire winners for a conservative government. We saw this not long ago with the attack on dole bludgers. And it’s emerged again with the attempt to cover the retreat on Section 18C with new anti-terror measures (or, in the government’s telling the dumping of 18C to secure support for the anti-terror measures).

Unfortunately, the environment has changed since the revelations made by Edward Snowden and others on the extensive (and, in aspiration, total) surveillance of communications by the US NSA. It seems likely that the end result of this will be a rolling back of the extreme surveillance powers grabbed by the authorities over the last decade.

And, while I’m at it, can we stop talking as if we are facing a massive existential crisis because of the threat of terrorism. For most of the 20th century we were threatened with invasion or nuclear annihilation, and we managed to maintain our liberties. We should do the same this time.

Agreed except that I take the view that what is required is not (almost certainly ineffectual) curbs on storage or access to the stores by police or security or spy services but adequate watching of the watchers and protection by deterrence and otherwise against public or private misuse of surveillance info.

With that major proviso I am all in favour, absent detailed arguments to confound me, of using technology to, e.g. make sure there are records of the sight and sound of burglars and their vehicles in my street, and recognise faces of wanted people in the crowds going to and from, as well as at, sports grounds (opera and gallery exhibition openings might lack cost-benefit justification even if properly PC).

I think the sting is in the tail in this post. Living in the shadow of nuclear Armageddon has been forgotten, though I remember in the early 80s, with Reagan’s Starwars fantasies and nuclear power more favoured, ’twas a scary time.

Current fear and loathing towards terror protagonists makes for an unbalanced sense of proportion. Are there any commentators or political leaders working to put these fears into measured context? Or does a permanent sense of paranoia suit too many powerful interests?

For much of the 20th Century “we” did our fair share of invading, dominating, hegemonising, colonising and – yes – terrorising other parts of the earth. Maintaining “our” liberties was perhaps possible in large part because of the dominant world role we played, especially in the second half, to feed our long period of growth and relative prosperity. We did not extend those liberties to others and frequently visited violence upon people (overseas and at home) who organised themselves to demand the same freedoms. How quickly we forget.

IIRC, the police pulled stuff on Gerard Baden-Clay that he had done on internet and phones BEFORE he was a person of interest and this was not just metadata but data (content) too. That is very revealing if you think about it.

@rog
On the face of it what you say about the CIA is implausible if construed as it logically must be to mean that they killed someone based on nothing but metadata. Can you provide verifying spources please?
I can easily conceive of the situation where metadata is used (reliably or to whatever level of probability the CIA chooses) to locate someone that the CIA is intending to kill if it can’t capture him. But that wouldn’t seem to support your point I think.

I can see that enough info about who calls who and when (except when it is Peter Reith’s son using his Dad’s phone) could add up to a compelling case – in war time – that X was at Peenemunde and was indeed a key scientist responsible for the V2….. Good bye Werner von Braun.

Yuri, my recollection of the case is that Mamdouh Habib was taken by the CIA simply for being in Pakistan. They had no evidence that he had done anything wrong, but once they had him they raped him and held him in solitary confinement to try to get him to reveal the content of what he had been doing. He was ultimately released, right? You should probably care about one of your compatriots being arrested simply on the basis of where he had been, without any prior cause, tortured for 7 years, and then released without charge. Could be you next. But my guess is you don’t care, because Mamdouh Habib was a Muslim. Amiright?

In my experience, people don’t care when they think it can’t happen to them. When bad things start happening to so many people that a critical mass of discontent is reached: then agitation for change starts happening.

I’m a technological dummy, but the other day my son was explaining to me that as we have dsl then every time we restart the router we have a new IP address. Is this true, and if so, why can’t every would-be evil-doer simply get dsl?

@calyptorhynchus
Part of the metadata to be collected will be which dynamic IP address is assigned to each customer and for what period.
Any aware bad guys will use an anonymising web site, so much of the metadata will be fairly useless (until the NSA/CIA etc compromise the anonymiser)

There are numbers of people who believe that one of the key things holding back IPv6 rollout is that IPv6 will permit home users to run home servers and bypass the centralisation that’s mandated by the current IPv4’s reliance on NAT and dynamic IP.

It’s a lot harder to “compromise the anonymiser” if anyone can set one up in their living-room.

[there aren’t enough telephone numbers to go around — four billion — so only a few computers — the central servers, mostly, facebook.com and all the web-hosts — have permanent fixed ones. Everyone else just uses party lines [NAT] and pooled numbers [dynamic IP]; you can dial to a fixed-number telephone with one of these, but noone can contact you because they don’t know what your number is at any point. IPv6 dramatically increases the number of numbers, meaning that all computers can be assigned fixed ones that can be dialed to as well as can dial out.]

@calyptorhynchus: it’s extremely likely you’re getting the same dynamic IP each time, and certain that whatever it is at any time will be logged.

@calyptorhynchus
You might get a new ip address each time you connect, but the ISP allocates it and records it to charge your account for usage, among other things. Determining who requested what is built into the system design.

To make anonymous web requests you would have to set up an encrypted connection to an “anonymizer” – a server that makes requests on your behalf and send the results back to you. These things are around on the net and offer a free service. In this case, the government snooper could detect that you and a bunch of others have encrypted connections to an anonymizer, and that the anonymiser has connected to a bunch of downstream sites, but who connected to what cannot be determined directly. Often the anonymiser might be in a different jurisdiction or may be part of a federated group that randomly chains requests through multiple servers to further hinder analysis.

However, I certainly wouldn’t recommend this without your eyes wide open. This stuff is for experts. The anonymiser may potentially be already compromised by the government or crooks – or, government crooks – so your activity may actually already be being logged. Or your computer might get taken over by the not-so-nice people running the anonymiser who are already operating at the edge of the law. There’s no guarantee of anything. There are various other mechanisms for secure communications but none are perfect. They are also likely to emit telltale smoke even if the actual content can’t be decoded.

Your biggest source of anonymity is actually the humungous volume of data passing around the Internet – it’s impossible to analyse every exchange. What the spies want is access to the mass of raw data so that they can pick out people or sites of interest and follow related communication networks, aka “metadata”. This network analysis approach was apparently sufficiently successful against AK (we hear) that they stopped using the Internet, except to buy household commodities on eBay.

What is “meta data”? I mean in the general sense, not specifically in terms of these so-called anti terror measures. Sure, it’s “data about the data”. So “meta-data” is also “data”. So really we’re talking about data. Good! The issue then simplifies: the government wants to collect more data.

Which data? Well the government has done a very confusing job of (not) answering that question. Let’s use the Turnbull one: who has been assigned a given IP at a certain time? I would describe this as “account data”. This makes me wonder: surely the government *already* has the power to compel ISP’s to provide that information via a warrant or subpoena, no?

Will this be effective? If anyone really wants to hide their internet activity, wouldn’t they simply sign up for a VPN service?

If so, then this is simply a new regulation, which will cause operational costs for ISPs to rise (which will be passed on to users, like a “big new tax”) and will simply push the baddies further underground. It also creates new (or extended) repositories of personal information, which like all data, is at risk of being released to the world via hacking or accident.

It’s hard for me to see the use of retrospective access to IP addresses unless the government is also tracking and storing browsing history. Can anyone explain this? To spell it out, suppose my IP address in 2012 was 1.1.1.1 and it’s now something else. I pop up on the ASIO radar somehow, and they can compel my ISP to give them the old IP address. But what use is that, unless they can find out what sites were visited by 1.1.1.1 back then?

John Quiggin :
It’s hard for me to see the use of retrospective access to IP addresses unless the government is also tracking and storing browsing history. Can anyone explain this? To spell it out, suppose my IP address in 2012 was 1.1.1.1 and it’s now something else. I pop up on the ASIO radar somehow, and they can compel my ISP to give them the old IP address. But what use is that, unless they can find out what sites were visited by 1.1.1.1 back then?

My understanding is that when one of our allies, or even a law enforcement agency in Oz says to the AFP, “we busted this ring of baddies and found they had a webserver that had been accessed by these IPs in the Oz geography, go check it out” the feds will track it down to a ISP, and then ask the ISP who that IP was assigned to on a certain date/time.

ISPs probably have this data already. They seem to have been moving toward fixed IPs over the years (away from dynamic assigned IPs, discussed above). But they may discard their records after a billing cycle or two, because that’s a lot of data to store, which is expensive.

The ip address history is useful to match with the historical access log of a site. The access log will have ip addresses but unlikely names. The user would need to logs in with some kind of real or traceable name (unlikely, especially for terorists) and name logging would have to be enabled (which it wouldn’t be by default as it slows the site.)

So if kenspancakes.com.au was found to be say a front for a terrorist bomb plot, and their access log history was obtained, the ip addresses in the log could be matched to the historical ip data from the ISP at that time. This allows you to build the connection network information the other way around: users of site X, rather that sites that user Y went to.

* * *

One thing that I find more than a little weird about this discussion in general is that commercial organisations will have a lot of this information already. Google knows every site I visit, partly because I let them (which provides benefits to me) and partly because they can build a lot of this information up anyway. Are we worried about giving the government information that Google and an bunch of unknown and out-of-jurisdriction web ad outfits build anyway?

The stuff that Google etc don’t get would be things that are “off web” like me using an encrypted connection to a private site or a point-to-point connection into to someone’s private computer. These connections are someone exceptional at present but will become very common with applications like video chat and intelligent devices. It seems to me that it would be smarter to allow the government to collect the data, but have clear principles for who can use it, how and for what, what oversight systems are needed and what sanctions apply for misuse.

Exactly what use this data could be put to is the debate we are not having. Really, if you were writing the constitution today, that’s just the sort of stuff that should go in. A blanket no monitoring” approach is naive and historically quaint.

You do yourself a discredit but using the “xyz corp has all my data already, so what’s the difference?”

The difference is you opted in for Google tracking, and may opt out.

But this is all missing the big picture. Tony Abbott has said himself that there has been no change to the threat of terrorist acts here in Australia. Which begs the question, why then do we need a change to the law to counter this non-change?

I was trying to think up a clever paraphrase to one of his great quotes: “It’s a so-called market in the non-delivery of an invisible substance to no-one.” … but couldn’t quite get there…

I’m still having trouble here. If I’m the operator of a dodgy site, wouldn’t I and my users benefit from wiping the access logs on a daily basis (or maybe weekly if you want to some kind of troubleshooting). I’m not saying there aren’t people dumb enough not to do this, but surely AQ and similar aren’t going to among them.

So, it seems as if the only way historical access logs are going to be kept is if ISPs keep them, or if the government taps them directly.

John Quiggin :
I’m still having trouble here. If I’m the operator of a dodgy site, wouldn’t I and my users benefit from wiping the access logs on a daily basis (or maybe weekly if you want to some kind of troubleshooting).

Quite right! That’s one of the many ways this proposal is ineffective. On the other hand, consider the many monumental IT stuff-ups by organisations with massive IT budgets. So you never know…

Even some of the popular VPN services have logs, which kind of defeats the purpose (I assume they want logs so they can detect clients sharing their account, etc.)

On the other hand, some authorities (e.g. NSA) might do some “packet-sniffing” prior to taking down the baddies. This will show traffic between two IPs, regardless of any logging on the server side.

On the other, other hand, many of my friends have access to my Wi-Fi when they come visit. Further, my WiFi connection might be open to the public, so it could be anyone in walking past, a neighbor, etc. So just because some traffic went between my IP and some baddies server, doesn’t mean it was me doing it.

So this data might yield evidence, but certainly not proof.

p.s. I’m using “baddies” here to describe the the government target. This might be a child porn ring (a favoured example of government spruikers). But it’s likely to include whistle-blowers like Wikileaks, or even journalists. In that case, the authorities might be more inclined to allow the service/journalist to continue, but just monitor traffic so they can pounce on a whistle-blower when and if it suits…

Since this all come under “bone headed stupidity” allowance must be made for commenting. It seems to be that metadata presumes the existence of algorithms that can capture data relevant individual internet data en masse. Even if content can be tapped, it is more difficult to analyse, and often not as useful in terms of understanding behavior. Metadata can create a picture of the individual user, and raises issues of privacy. There is a divided between the age of the printing press and internet. A search warrant is irrelevant if the data has not been stored. Why should ISP be responsible for collecting and storing information, and who is to define what algorithm should be used? Who does the data belong to, who can use it for possible commercial and other possible purposes, and who can have access, and under what conditions? The fact that metadata is being collected does not make it right, legal, or a violation of privacy.

If my understanding is correct, part of the plan is to compel ISPs to hold this information at their own expense. That does give rise to the interesting constitutional problem of whose property it is when the government compulsorily acquires it. They can’t argue that the ISP still has it and therefore nothing has been acquired, as that would seem to undermine the entire basis of copyright law (although IANAL).

On anonymisers, the US government is reportedly trying to penetrate TOR and target users as suspects because they are using an anonymiser. So unless you can assure your anonymity as a user first, it may not be worth the effort.

2 tanners :
If my understanding is correct, part of the plan is to compel ISPs to hold this information at their own expense. That does give rise to the interesting constitutional problem of whose property it is when the government compulsorily acquires it. They can’t argue that the ISP still has it and therefore nothing has been acquired, as that would seem to undermine the entire basis of copyright law (although IANAL).

Most (if not all) business have to operate within some sort of regulatory boundary, which in most cases increase costs (that are normally passed onto the customer). E.g. banking, healthcare, even the local fish-and-chip shop (they have to pay for proper disposal of their frying oil).

I don’t think the proposed data retention plan is different in that regard…

My concern is the parallel discussions the government would be having wih ISPs on data retention for national security purposes and making ISPs more of a player in countering copyright infringement. As I understand it much of the metadata could be used for both purposes.

All businesses should operate within regulatory boundaries, and I suspect that I am probably the most extreme on this forum in actually supporting the right of the state to scrutinise mail in all forms and other activities to prevent crime. The big BUT is that these powers need to be overseen by an independent judiciary and as I understand it this is what these laws propose to circumvent.

The point I was making was that in forcing ISPs to keep what is clearly intellectual property and then demanding access to that property does not differ from demanding access to Fax TV’s Game of Thrones series (or come that, a digital version of Debbie Does Dallas). At best, the metadata belongs to the ISP who must be compensated, but in all likelihood the metadata belongs to the creator who must be both notified and compensated under the constitution. There is no right to prevention of acquisition and equally there is a constitutional guarantee of compensation. Again, IANAL but it would make for an entertaining High Court case.

My great concern is with the concept of doing things to “prevent crime”. Sure, lock your doors to help prevent burglary and so on. But total surveillance and invasion of internet activity by the government – or its 5 eyes partners doing so and feeding it back to them filtered in a way to make it ‘legal’ – is something that I see less to do with crime prevention and more to do with silencing dissent.

Using ASIO to detain, and deport, the non-violence protest activist Scott Parkin under Howard or using ASIO to spy on climate activists under the ALP are examples of the basis for such concern.

I would be happy – with a proper court process etc.. – for all sorts of spying to be used in solving crimes, but less happy to give it a free pass for “prevention”.

I got the “bold” a bit wrong there. I wanted to emphasize “solving” crimes as OK but “prevention” as dangerous.

To “prevent” a crime you have to know that it is going to happen.

To “know” it is going to happen you must have a reason.

Suspicion is not good enough. The US is currently killing innocent people, including Australians, without any legal process based on something that is essentially an algorithm. They call it the “disposition matrix”.

They often don’t even know who they’ve obliterated. It just “feels” right, because the minced person “fits” a category they have fallen into by meta-data: contacts, movements, numbers called, location, websites visited etc…

You got the bolding pretty right I thought. Yes, it is terrifying, the direction the US is headed. I just hope a relatively peaceful, democratic reversal of these US trends will be initiated by the US populace. That is the best we can hope for. Realistically, nobody outside the USA has any chance of modifying these US policies.

2 tanners :
@Rob
The point I was making was that in forcing ISPs to keep what is clearly intellectual property and then demanding access to that property does not differ from demanding access to Fax TV’s Game of Thrones series (or come that, a digital version of Debbie Does Dallas)….

I don’t understand why my internet address would be considered intellectual property. Is the street address of my house intellectual property, and if not, how is it different to my internet address?

Living in the shadow of nuclear Armageddon has been forgotten, though I remember in the early 80s, with Reagan’s Starwars fantasies and nuclear power more favoured, ’twas a scary time.

We owe it to the late Lieutenant-Colonel Robert Bowman (1933-2013) for preventing nuclear war during the Reagan Years. Robert Bowman was Director of Advanced Space Programs Development for the U.S. Air Force in the Ford and Carter administrations, but had retired before Reagan was elected. Because he had retired before Reagan was elected, he was, unlike may he worked with, able to blow the whistle on plans of people in the Reagan administration to launch war. Had he not retired, he would have had to remain silent or risk imprisonment. Bowman toured the United States and gave speeches to packed meetings against the war plans and forced the Star-Warriors to back down.

Robert Bowman tried to win preselection as Democratic Presidential Candidate in 2006 but was beaten by the rorts in the preselection system in Florida.

Living in the shadow of nuclear Armageddon has been forgotten, though I remember in the early 80s, with Reagan’s Starwars fantasies and nuclear power more favoured, ’twas a scary time.

We owe it to the late Lieutenant-Colonel Robert Bowman (1933-2013) for preventing nuclear war during the Reagan Years. Robert Bowman was Director of Advanced Space Programs Development for the U.S. Air Force in the Ford and Carter administrations, but had retired before Reagan was elected. Because he had retired before Reagan was elected, he was, unlike may he worked with, able to blow the whistle on plans of people in the Reagan administration to launch war. Had he not retired, he would have had to remain silent or risk imprisonment. Bowman toured the United States and gave speeches to packed meetings against the war plans and forced the Star-Warriors to back down.

Robert Bowman tried to win preselection as Democratic Presidential Candidate in 2006 but was beaten by the rorts in the preselection system in Florida.

There was no Presidential election in 2006. In 2006 Robert Bowman sought and won nomination as the Democratic candidate for the House of Representatives from Florida’s 15th Congressional District but was beaten in the general election by the incumbent Republican Dave Weldon.

Your suggestions about the effects of his speeches on the subject of the so-called Strategic Defence Initiative: are they any more accurate? I don’t know.